Hi Robert, all: As a disclaimer, I'm not an engineer/programmer, so I don't know all the technical specifications. However, I am a big advocate for Let's Encrypt, and think it sends a strong message about the service they offer if the RIPE community and NCC endorses them for our networks and infrastructure. So, take my vote with a grain of salt, but I say let's do it (barring any kind of technical issue that I'm simply not aware of). Best, -Michael On Tue, Sep 3, 2019 at 9:58 AM Robert Kisteleki <robert@ripe.net> wrote:
Still no one has answered why ripe is using self signed certs for anchor when they can use let's encrypt for free...
TL;DR if the community prefers it we use LE (+TLSA).
This comes with the expense of some one-time and ongoing operational work. Considering that anchors don't host any sensitive information, using self-signed certs (+TLSA) was so far considered good enough.
Regards, Robert